From 5e1c79dfb310bbb30be0d1816a39defd34600dc5 Mon Sep 17 00:00:00 2001 From: Paul Agbabian Date: Fri, 3 Jan 2025 10:09:20 -0800 Subject: [PATCH] Create an Incident profile (#1293) #### Related Issue: PR 1292 and Slack discussion #### Description of changes: Adds `Incident Finding` specific attributes to a profile that can be added to other non-aggregate Findings. Added the profile to all Findings that extend `finding`. Updated the descriptions of each class. --------- Signed-off-by: Paul Agbabian --- CHANGELOG.md | 3 ++ events/findings/compliance_finding.json | 2 +- events/findings/data_security_finding.json | 2 +- events/findings/detection_finding.json | 2 +- events/findings/finding.json | 6 +++ events/findings/incident_finding.json | 5 ++- events/findings/vulnerability_finding.json | 2 +- profiles/incident.json | 48 ++++++++++++++++++++++ 8 files changed, 65 insertions(+), 5 deletions(-) create mode 100644 profiles/incident.json diff --git a/CHANGELOG.md b/CHANGELOG.md index 475eb37f4..5f52bfcf8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -93,6 +93,8 @@ Thankyou! --> 1. Added `software_component` and `sbom` objects. #1262 1. Added `drive_type` and `drive_type_id` objects. #1287 1. Added `cpu_architecture` and `cpu_architecture_id` objects. #1278 +* ### Profiles + 1. Added `incident` profile. #1293 ### Improved * #### Event Classes @@ -113,6 +115,7 @@ Thankyou! --> 1. Add `security_control` profile to base_event.json and remove this profile elsewhere in the event hierarchy. #1281 1. Add `policies` to `Account Change` class. #1282 1. Add `Unlock` activity to `account_change` class. #1285 + 1. Add `incident` profile to `finding` to affect classes that extend it. #1293 * #### Profiles 1. Added `is_alert`, `confidence_id`, `confidence`, `confidence_score` attributes to the `security_control` profile. #1178 1. Added `risk_level_id`, `risk_level`, `risk_score`, `risk_details` attributes to the `security_control` profile. #1178 diff --git a/events/findings/compliance_finding.json b/events/findings/compliance_finding.json index db70760fd..0885817b6 100644 --- a/events/findings/compliance_finding.json +++ b/events/findings/compliance_finding.json @@ -1,7 +1,7 @@ { "uid": 3, "caption": "Compliance Finding", - "description": "Compliance Finding events describe results of evaluations performed against resources, to check compliance with various Industry Frameworks or Security Standards such as NIST SP 800-53, CIS AWS Foundations Benchmark v1.4.0, ISO/IEC 27001 etc.", + "description": "Compliance Finding events describe results of evaluations performed against resources, to check compliance with various Industry Frameworks or Security Standards such as NIST SP 800-53, CIS AWS Foundations Benchmark v1.4.0, ISO/IEC 27001 etc. Note: if the event producer is a security control, the security_control profile should be applied and its attacks information, if present, should be duplicated into the finding_info object.
Note: If the Finding is an incident, i.e. requires incident workflow, also apply the incident profile or aggregate this finding into an Incident Finding.", "extends": "finding", "name": "compliance_finding", "attributes": { diff --git a/events/findings/data_security_finding.json b/events/findings/data_security_finding.json index 8f8d33279..e4d265007 100644 --- a/events/findings/data_security_finding.json +++ b/events/findings/data_security_finding.json @@ -1,7 +1,7 @@ { "uid": 6, "caption": "Data Security Finding", - "description": "A Data Security Finding describes detections or alerts generated by various data security products such as Data Loss Prevention (DLP), Data Classification, Secrets Management, Digital Rights Management (DRM), Data Security Posture Management (DSPM), and similar tools. These detections or alerts can be created using fingerprinting, statistical analysis, machine learning or other methodologies. The finding describes the actors and endpoints who accessed or own the sensitive data, as well as the resources which store the sensitive data.", + "description": "A Data Security Finding describes detections or alerts generated by various data security products such as Data Loss Prevention (DLP), Data Classification, Secrets Management, Digital Rights Management (DRM), Data Security Posture Management (DSPM), and similar tools. These detections or alerts can be created using fingerprinting, statistical analysis, machine learning or other methodologies. The finding describes the actors and endpoints who accessed or own the sensitive data, as well as the resources which store the sensitive data. Note: if the event producer is a security control, the security_control profile should be applied and its attacks information, if present, should be duplicated into the finding_info object.
Note: If the Finding is an incident, i.e. requires incident workflow, also apply the incident profile or aggregate this finding into an Incident Finding.", "extends": "finding", "name": "data_security_finding", "attributes": { diff --git a/events/findings/detection_finding.json b/events/findings/detection_finding.json index 370cc8f1a..8824d517a 100644 --- a/events/findings/detection_finding.json +++ b/events/findings/detection_finding.json @@ -1,7 +1,7 @@ { "uid": 4, "caption": "Detection Finding", - "description": "A Detection Finding describes detections or alerts generated by security products using correlation engines, detection engines or other methodologies. Note: if the event producer is a security control, the security_control profile should be applied and its attacks information, if present, should be duplicated into the finding_info object.", + "description": "A Detection Finding describes detections or alerts generated by security products using correlation engines, detection engines or other methodologies. Note: if the event producer is a security control, the security_control profile should be applied and its attacks information, if present, should be duplicated into the finding_info object.
Note: If the Finding is an incident, i.e. requires incident workflow, also apply the incident profile or aggregate this finding into an Incident Finding.", "extends": "finding", "name": "detection_finding", "attributes": { diff --git a/events/findings/finding.json b/events/findings/finding.json index fb33005bf..715c073f4 100644 --- a/events/findings/finding.json +++ b/events/findings/finding.json @@ -4,7 +4,13 @@ "description": "The Finding event is a generic event that defines a set of attributes available in the Findings category.", "extends": "base_event", "name": "finding", + "profiles": [ + "incident" + ], "attributes": { + "$include": [ + "profiles/incident.json" + ], "activity_id": { "description": "The normalized identifier of the finding activity.", "enum": { diff --git a/events/findings/incident_finding.json b/events/findings/incident_finding.json index 9c59e3861..2c8f0b5cc 100644 --- a/events/findings/incident_finding.json +++ b/events/findings/incident_finding.json @@ -2,9 +2,12 @@ "uid": 5, "caption": "Incident Finding", "category": "findings", - "description": "An Incident Finding reports the creation, update, or closure of security incidents as a result of detections and/or analytics.", + "description": "An Incident Finding reports the creation, update, or closure of security incidents as a result of detections and/or analytics.
Note: Incident Finding implicitly includes the incident profile and it should be added to the metadata.profiles[] array.", "extends": "base_event", "name": "incident_finding", + "profiles": [ + "incident" + ], "attributes": { "activity_id": { "description": "The normalized identifier of the Incident activity.", diff --git a/events/findings/vulnerability_finding.json b/events/findings/vulnerability_finding.json index f83e9aba8..f9e368720 100644 --- a/events/findings/vulnerability_finding.json +++ b/events/findings/vulnerability_finding.json @@ -1,7 +1,7 @@ { "uid": 2, "caption": "Vulnerability Finding", - "description": "The Vulnerability Finding event is a notification about weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.", + "description": "The Vulnerability Finding event is a notification about weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. Note: if the event producer is a security control, the security_control profile should be applied and its attacks information, if present, should be duplicated into the finding_info object.
Note: If the Finding is an incident, i.e. requires incident workflow, also apply the incident profile or aggregate this finding into an Incident Finding.", "extends": "finding", "name": "vulnerability_finding", "attributes": { diff --git a/profiles/incident.json b/profiles/incident.json new file mode 100644 index 000000000..2878bc957 --- /dev/null +++ b/profiles/incident.json @@ -0,0 +1,48 @@ +{ + "description": "The attributes that add incident handling semantics to a Finding.", + "meta": "profile", + "caption": "Incident", + "name": "incident", + "annotations": { + "group": "primary" + }, + "attributes": { + "assignee": { + "group": "context", + "requirement": "optional" + }, + "assignee_group": { + "group": "context", + "requirement": "optional" + }, + "is_suspected_breach": { + "group": "context", + "requirement": "optional" + }, + "priority": { + "group": "context", + "requirement": "optional" + }, + "priority_id": { + "group": "context", + "requirement": "recommended" + }, + "src_url": { + "description": "A Url link used to access the original incident.", + "group": "primary", + "requirement": "recommended" + }, + "ticket": { + "group": "context", + "requirement": "optional" + }, + "verdict": { + "group": "primary", + "requirement": "recommended" + }, + "verdict_id": { + "group": "primary", + "requirement": "recommended" + } + } + } \ No newline at end of file